This topic answers frequently asked questions about log management for Web Application Firewall (WAF) 3.0.
Why can't I find some logs?
WAF logs include two categories of fields: required fields (enabled by default) and optional fields (disabled by default). If log entries are missing, you likely need to enable the relevant optional fields.
Go to Log fields and enable the fields you need. For custom rules, enable acl_action, acl_rule_id, acl_rule_type, and acl_test to capture logs for triggered protection rules.
Enabling optional fields increases log storage consumption. Enable only the fields you need.
Why can I view logs older than the specified retention period?
This is expected behavior. WAF's deletion process can be delayed by up to seven days, so logs may remain visible during the deletion window even after the retention period has passed. For example, if you set the retention period to 90 days, you may still see logs older than 90 days. You are not charged for delayed-deletion logs, and they do not count toward your storage capacity.
What is the value of the remote_addr field when using cloud native mode with an ALB instance?
The remote_addr field value depends on how the Application Load Balancer (ALB) instance is configured.
| ALB instance configuration | Value of the remote_addr field |
|---|---|
| Find Real Client Source IP is not enabled. | Source IP address of the client directly connecting to ALB. If a Layer 7 proxy (such as Alibaba Cloud CDN or Anti-DDoS Pro and Anti-DDoS Premium) sits in front of ALB, this is the upstream proxy's IP address. |
| Retrieve Client Source IP is enabled, and the client's source IP address is in the Trusted IP List. | Content of the X-Forwarded-For field. |
| Retrieve Client Source IP is enabled, and the source IP address is not in the Trusted IP List. | Source IP address of the client directly connecting to ALB. If a Layer 7 proxy (such as Alibaba Cloud CDN or Anti-DDoS Pro and Anti-DDoS Premium) sits in front of ALB, this is the upstream proxy's IP address. |